apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: falcoauditrules.deckhouse.io
  labels:
    heritage: deckhouse
    module: runtime-audit-engine
spec:
  group: deckhouse.io
  scope: Cluster
  names:
    plural: falcoauditrules
    singular: falcoauditrule
    kind: FalcoAuditRules
    shortNames:
    - far
  preserveUnknownFields: false
  versions:
  - name: v1alpha1
    served: true
    storage: true
    schema:
      openAPIV3Schema:
        type: object
        required: ["spec"]
        properties:
          spec:
            type: object
            required: ["rules"]
            properties:
              requiredEngineVersion:
                type: integer
                description: |
                  Used to ensure compatibility between the rules content and the Falco engine version.
              requiredK8sAuditPluginVersion:
                type: string
                description: |
                  Used to ensure compatibility between the rules content and plugin versions.
              rules:
                type: array
                minLength: 1
                description: |
                  Describes the Falco rules that will be applied to monitor the cluster runtime.

                  These rules help detect threats at runtime by observing the behavior of your applications and containers.

                  Refer to [the Falco documentation](https://falco.org/docs/rules/) and [reference](https://falco.org/docs/reference/rules/) for more details.
                items:
                  type: object
                  oneOf:
                  - required: ["macro"]
                  - required: ["list"]
                  - required: ["rule"]
                  properties:
                    rule:
                      type: object
                      description: |
                        Defines the conditions under which an alert is to be generated.

                        The rule is accompanied by a descriptive output string that is sent with an alert.
                      required:
                      - "name"
                      - "condition"
                      - "desc"
                      - "output"
                      - "priority"
                      properties:
                        name:
                          type: string
                          description: |
                            A short, unique name for the rule.
                        condition:
                          type: string
                          description: |
                            A filtering expression that is applied to events to check whether they match the rule.
                        desc:
                          type: string
                          description: |
                            A detailed description of what the rule detects.
                        output:
                          type: string
                          description: |
                            A message to output if a matching event occurs.
                        priority:
                          type: string
                          description: |
                            A severity of the event.
                          enum: ["Emergency", "Alert", "Critical", "Error", "Warning", "Notice", "Informational", "Debug"]
                        enabled:
                          type: boolean
                          default: true
                          description: |
                            If set to `false`, a rule is neither loaded nor matched against any events.
                        tags:
                          type: array
                          description: |
                            A list of tags applied to the rule.
                          items:
                            type: string
                        source:
                          type: string
                          description: |
                            The event source for which this rule is to be evaluated.
                          default: "Syscall"
                          enum: ["Syscall", "K8sAudit"]
                    macro:
                      type: object
                      description: |
                        Rule condition snippets that can be re-used inside other rules and even macros.

                        Macros provide a way to name common patterns and eliminate redundancies in the rules.
                      required: ["name", "condition"]
                      properties:
                        name:
                          type: string
                          description: |
                            A short, unique name for the macro.
                        condition:
                          type: string
                          description: |
                            A filtering expression that is applied to events to check whether they match the rule.
                    list:
                      type: object
                      description: |
                        Collections of items that can be included in rules, macros, or other lists.

                        Unlike rules and macros, lists cannot be parsed as filtering expressions.
                      required: ["name", "items"]
                      properties:
                        name:
                          type: string
                          description: |
                            A unique name for the list (as a slug).
                        items:
                          type: array
                          description: |
                            A list of values.
                          items:
                            x-kubernetes-int-or-string: true
                            anyOf:
                            - type: integer
                            - type: string
